Switchport security, but at layer-3

Unanswered Question
Jun 17th, 2008
User Badges:
  • Green, 3000 points or more

I know I can implement layer-2 port security on my 4500 switches. That is, I can arrange it so that if a user connects a foreign device to the port, the port goes into errdisable.


What I want to do is the same thing at layer-3. From time to time, users try to attach foreign network-aware devices such as PDAs to the USB port of their PCs. Sometimes these devices try (unsuccessfully) to do a DHCP, and sometimes they seem to just appear on the network as 169.254.2.2 or 192.0.0.192. But they always use the MAC address of the PC.


What I want is for the port to get shut down if the host generates a DHCP, or if the port sees packets from any address in 169.254.0.0/16. Does anyone have a way to do that?


Kevin Dorrell

Luxembourg

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Kevin Dorrell Fri, 06/20/2008 - 04:58
User Badges:
  • Green, 3000 points or more

Giuseppe,


Thanks, I shall read that chapter over the weekend and let you know if it fitts the bill.


Kevin Dorrell

Luxembourg


Kevin Dorrell Mon, 06/23/2008 - 23:26
User Badges:
  • Green, 3000 points or more

Giuseppe,


Thanks. I read the doc over the long weekend (we had a national holiday for the Grand-Duke's official birthday).


The feature doesn't fit the bill 100% beceause it does not actually disable the port when there is a violation. That is, it is the layer-3 eqivalent of "restrict", but not "shutdown".


However, it does go a long way towards addressing my problem, and it also shows me a fun feature to try out in the lab!


Thanks.


Kevin Dorrell

Luxembourg


Actions

This Discussion